Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12OXA5LTUzNXctNDI4Nc0shg
Prototype Pollution in litespeed.js and appwrite/server-ce
This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability.
Permalink: https://github.com/advisories/GHSA-v9p9-535w-4285JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12OXA5LTUzNXctNDI4Nc0shg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-v9p9-535w-4285, CVE-2021-23682
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23682
- https://github.com/appwrite/appwrite/pull/2778
- https://github.com/litespeed-js/litespeed.js/pull/18
- https://github.com/appwrite/appwrite/releases/tag/0.11.1
- https://github.com/appwrite/appwrite/releases/tag/0.12.2
- https://snyk.io/vuln/SNYK-JS-LITESPEEDJS-2359250
- https://snyk.io/vuln/SNYK-PHP-APPWRITESERVERCE-2401820
- https://github.com/advisories/GHSA-v9p9-535w-4285
Blast Radius: 13.3
Affected Packages
packagist:appwrite/server-ce
Dependent packages: 0Dependent repositories: 0
Downloads: 434 total
Affected Version Ranges: < 0.11.1, >= 0.12.0, < 0.12.2
Fixed in: 0.11.1, 0.12.2
All affected versions: 0.1.13, 0.1.15, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.11.0, 0.12.0, 0.12.1
All unaffected versions: 0.11.1, 0.11.2, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4
npm:litespeed.js
Dependent packages: 7Dependent repositories: 18
Downloads: 37 last month
Affected Version Ranges: < 0.3.12
Fixed in: 0.3.12
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.5, 0.3.6, 0.3.7, 0.3.9, 0.3.10, 0.3.11
All unaffected versions: 0.3.12